Endpoint Protection

I am a system administrator at a company with about 50 clients and servers running Endpoint 11.0, with a dedicated server for the management console. Ever since we deployed Endpoint last week, LiveUpdate has been pushing out definitions twice, sometimes three times a day at random times. When this happens during work hours, it causes our VMware environment to pretty much freeze up until all definitions are updated. Problem is, I set the LiveUpdate policy only to push out new definitions at 1 A.M. Any reason as to why LiveUpdate would be pushing out new definitions whenever it wants?

Whenever SEPm will download definitions it will push it out to the clients and it cannot be controlled from liveupdate policy.

Immediately disable the liveupdate policy setting that you have made as that allows clients to download definitions from the internet and that is why it is slowing down your Network.

In SEPM go to

Admin-Server-Local Site --Right-click --Properties--Liveupdate

And set the schedule when to download defs..

every 4 hours is set by default.

In your Liveupdate Policy make sure only "Default Management Server" is selected Uncheck Symantec Liveupdate Server ( as that allows clients to download defs from internet)

Then you can change the communication setting to PUSH mode to PULL mode and Increase the heartbeat Interval from 5 mins to more says 1 hour or more.as that will give some breathing space to your network/Bandwidth.

from SEPm--Clients --select group--Policy--Communication Settings

>> Problem is, I set the LiveUpdate policy only to push out new definitions at 1 A.M.

How did you do that? As Vikram wrote - if your clients connect in push mode, they will receive definitions at once.

I would not chage push mode to pull mode only to have definitions delivered at certain period - it is going to be inefficient and will influence also other things like policy updates on clinets (if your clients are in pull mode and heartbeat is 1h, you may need to wait up to 1h for your clients to get defs).

Instead I would chage schedule for LiveUpdate. Open your console, go to Admin panel and click on Servers. Right-click on Local site and choos Proprieties. Now go to LiveUpdate and set LU to run only once about 0:30 am. You clients will be updated about 1am.

Moreover, if you have not done it, please have a look on:

Best Practice for Symantec Endpoint Protection Scheduled Scans in VMWare
http://www.symantec.com/docs/TECH95928

Is there are reason you are using the LiveUpdate to push definitons?  If you setup the SEPM to download definitions once a day (around 11 PM) and then have the clients check in on a regular pull mode heartbeat (4 to 6 hours), the clients should get their definitions by 5 AM at the latest and would not update during the work day.

>> on a regular pull mode heartbeat (4 to 6 hours)

If the cliets is offline for a few days and the it connects again, how could you know when it checks in to SEPM (and pull mode 4-6 hours is kindda too much)? There is now way to plan at which hours clients connect, you can set intervals (heartbeat periods) only so you cannot say they check in at 5pm.

- LiveUpdate does not push anything.  Clients must always make the request, either via LiveUpdate (scheduled or manual) or from the SEPM (even in so-called 'push mode').

- Which version of SEP is installed?  The newest versions have many improvements for virtualized environments to keep I/O down.  If you are not yet at RU6 MP2, you should plan to migrate as soon as you can.

The best way to control what the clients receive (provided LiveUpdate is not scheduled and enabled for end users to launch) is to restrict when the SEPM itself checks for updates: Admin > Servers > highligh Local Site > Tasks and Edit Site Properties, the LiveUpdate tab.

I would not make the heartbeat quite so large, as this means the clients upload logs more infrequently and your SEPM will not be displaying information that's very timely.

sandra